diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 4baecacb..d37f4cdc 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -840,13 +840,19 @@ int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l)
         /* output the first certificate, for GMTLS it is sign cert */
         if (chain_count) {
             x = sk_X509_value(chain, 0);
+            if (SSL_IS_GMTLS(s)) {
+                if (!(X509_get_key_usage(x) & X509v3_KU_DIGITAL_SIGNATURE)) {
+                    X509_STORE_CTX_free(xs_ctx);
+                    return 0;
+                }
+            }
             if (!ssl_add_cert_to_buf(buf, l, x)) {
+                X509_STORE_CTX_free(xs_ctx);
                 return 0;
             }
         }
-        if (s->version == GMTLS_VERSION) {
-            /* 我们还应该检查cpk的类型 */
-            x = s->cert->pkeys[SSL_PKEY_SM2_ENC].x509;			
+        if (SSL_IS_GMTLS(s)) {
+            x = s->cert->pkeys[SSL_PKEY_SM2_ENC].x509;
             if (!ssl_add_cert_to_buf(buf, l, x)) {
                 return 0;
             }
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 67a50d0a..de7b0612 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2642,7 +2642,7 @@ void ssl_set_masks(SSL *s)
     X509 *x = NULL;
 #endif
 #ifndef OPENSSL_NO_SM2
-    int have_sm2_cert, sm2sign_ok;
+    int sm2_enc, sm2_sign;
 #endif
     if (c == NULL)
         return;
@@ -2660,7 +2660,8 @@ void ssl_set_masks(SSL *s)
     have_ecc_cert = pvalid[SSL_PKEY_ECC] & CERT_PKEY_VALID;
 #endif
 #ifndef OPENSSL_NO_SM2
-    have_sm2_cert = pvalid[SSL_PKEY_SM2_ENC] & CERT_PKEY_VALID;
+    sm2_enc = pvalid[SSL_PKEY_SM2_ENC] & CERT_PKEY_VALID;
+    sm2_sign = pvalid[SSL_PKEY_SM2_SIGN] & CERT_PKEY_SIGN;
 #endif
     mask_k = 0;
     mask_a = 0;
@@ -2725,10 +2726,15 @@ fprintf(stderr, "%s %d\n", __FILE__, __LINE__);
     }
 #endif
 #ifndef OPENSSL_NO_SM2
-    //这个现在不好用啊！
-    if (have_sm2_cert) {
+    if (sm2_enc) {
+        mask_k |= SSL_kSM2;
+    }
+    if (sm2_sign) {
+        mask_a |= SSL_aSM2;
+    }
+/*
+    {
         uint32_t ex_kusage;
-fprintf(stderr, "%s %d\n", __FILE__, __LINE__);
         cpk = &c->pkeys[SSL_PKEY_SM2_SIGN];
         x = cpk->x509;
 	OPENSSL_assert(x);
@@ -2739,6 +2745,7 @@ fprintf(stderr, "%s %d\n", __FILE__, __LINE__);
         if (sm2sign_ok)
             mask_a |= SSL_aSM2;
     }
+*/
 #endif
 
 #ifndef OPENSSL_NO_EC
@@ -2886,8 +2893,10 @@ EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher,
         idx = SSL_PKEY_ECC;
 #ifndef OPENSSL_NO_SM2
     else if ((alg_a & SSL_aSM2) &&
-              (c->pkeys[SSL_PKEY_SM2_SIGN].privatekey != NULL))
+              (c->pkeys[SSL_PKEY_SM2_SIGN].privatekey != NULL)) {
         idx = SSL_PKEY_SM2_SIGN;
+fprintf(stderr, "%s %d\n", __FILE__, __LINE__);
+    }
 #endif
     if (idx == -1) {
         SSLerr(SSL_F_SSL_GET_SIGN_PKEY, ERR_R_INTERNAL_ERROR);
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index bee160fe..d811addc 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -425,8 +425,8 @@
 # define SSL_PKEY_GOST01         4
 # define SSL_PKEY_GOST12_256     5
 # define SSL_PKEY_GOST12_512     6
-# define SSL_PKEY_SM2_ENC        7
-# define SSL_PKEY_SM2_SIGN       8
+# define SSL_PKEY_SM2            7
+# define SSL_PKEY_SM2_ENC        8
 # define SSL_PKEY_SM9_SIGN       9
 # define SSL_PKEY_NUM           10
 
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 25df5c22..459328d0 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -22,9 +22,7 @@
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
-#ifndef OPENSSL_NO_GMTLS
 #include <openssl/x509v3.h>
-#endif
 
 /*
  * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
@@ -517,6 +515,23 @@ int tls_get_message_body(SSL *s, unsigned long *len)
     return 1;
 }
 
+#ifndef OPENSSL_NO_SM2
+static int ssl_cert_type_ecc(const X509 *x, const EVP_PKEY *pk)
+{
+    if (x && X509_get_signature_nid(x) == NID_sm2sign) {
+        if (X509_get_key_usage((X509 *)x) & X509v3_KU_DIGITAL_SIGNATURE)
+            return SSL_PKEY_SM2;
+        else
+            return SSL_PKEY_SM2_ENC;
+    }
+    if (EC_GROUP_get_curve_name(EC_KEY_get0_group(
+        (EC_KEY *)EVP_PKEY_get0(pk))) == NID_sm2p256v1) {
+        return SSL_PKEY_SM2;
+    }
+    return SSL_PKEY_ECC;
+}
+#endif
+
 int ssl_cert_type(const X509 *x, const EVP_PKEY *pk)
 {
     if (pk == NULL && (pk = X509_get0_pubkey(x)) == NULL)
@@ -531,27 +546,11 @@ int ssl_cert_type(const X509 *x, const EVP_PKEY *pk)
         return SSL_PKEY_DSA_SIGN;
 #ifndef OPENSSL_NO_EC
     case EVP_PKEY_EC:
-#ifndef OPENSSL_NO_GMTLS
-/*			
-在use_cert时，调用方提供证书，因此可以根据keyUsage选择公钥类型
-但是use_key时，没有证书，因此这个函数只能做一个猜测
-如果这两者并不一致时，就出现错误了！
-*/
-        if (EC_GROUP_get_curve_name(EC_KEY_get0_group(
-            (EC_KEY *)EVP_PKEY_get0(pk))) == NID_sm2p256v1) {
-            if (x) {
-                if (X509_get_key_usage((X509 *)x) & X509v3_KU_DIGITAL_SIGNATURE) {
-                    return SSL_PKEY_SM2_SIGN;
-                } else {
-                    return SSL_PKEY_SM2_ENC;
-                }
-            } else
-            {
-                return SSL_PKEY_SM2_SIGN;
-            }
-        }
-#endif
+# ifndef OPENSSL_NO_SM2
+        return ssl_cert_type_ecc(x, pk);
+# else
         return SSL_PKEY_ECC;
+# endif
 #endif
 #ifndef OPENSSL_NO_GOST
     case NID_id_GostR3410_2001: